// How to test ?
...
Below that line, you should see a new hidden input line. If you try to remove it from XML and retry the page again once the login form posted, you should see an error message that the CSRF protection has failed which means the token was not recognized.

Can you describe how to "remove it from XML" to test that the error message appears?

You can also disable the XML file by renaming the filename extension or to disable it from the VQMod Manager. Although, by doing that, ensure to login to your OC admin first. Then, to click on your store from the dropdown menu when testing.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

I found another explanation of CSRF and finally I understand it (previous explanations weren't in plain language that I could understand). Based on this explanation it seems very unlikely that CSRF is being used to create the fake customer and affiliate accounts that I have been experiencing each day. And therefore a CSFR token is not the fix that I need to address this problem. It seems that recaptcha is the appropriate solution to my issue. I hope this helps provide clarity for others.

I found another explanation of CSRF and finally I understand it (previous explanations weren't in plain language that I could understand).

No worries. It is likely on the forum that 99% of the users who reports issues aren't about OC's actual issues in anyhow.

And therefore a CSFR token is not the fix that I need to address this problem. It seems that recaptcha is the appropriate solution to my issue. I hope this helps provide clarity for others.

Here's the version of the clarity that I have. The CSRF does indeed not prevent SPAMs but prevents floods to occur on HTML post forms when spammers attempts to over flood these web forms. That being said, it has also not being said in any case that the CSRF Protection form prevents SPAMs attacks on the Marketplace. While the re-captcha is the additional solution, I have mentioned in multiple places on the forum that also installing the re-captcha along with the CSRF protection to protect against floods & spams were improving protection to the stores.

Due to your lack of understand and false publicity of analysis on the public forum and on MY TOPIC - your post has now been reported in order to be removed.

As to other users in the future to understand the stability of this release, there's nothing wrong with the CSRF Protection Form extension. The extension itself has been delivered for free on the Marketplace and only being charged to those who requires this extension to be installed. The installation itself requires no fee of charge from the Marketplace. So far, I haven't recalled deceiving ANYONE during the custom jobs as I intend to keep it that way.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

Obviously, the 2nd post will be leaded back here but it's just to show that running both together are the best solution to improve your site's protection.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

Do NOT post the CSRF token value on the public forum. Use the latest CSRF extension release, you are using an old version.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

This is not the updated version as this is no longer needed since the two latest updates on the Marketplace. The first post of this topic mentions where to download the CSRF Extension. The location did not changed but the extension was updated at least twice since. Although, ensure your zlib.output_compression is set to On in your php.ini or .user.ini file.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

With OC v3.x releases, the catalog header file won't propagate the CSRF due to the implementation of the TWIG engine. From the original and delivered XML file on the Marketplace, it should contain the blocks with the regular expressions on automatically placing the hidden CSRF input for each theme sub-folders where TWIG files are located but I will post a demonstration anyways.

In this case, we're testing the contact us page. Once applying this change, clear your OC cache from the OC admin: viewtopic.php?f=176&p=718325#p718325 and see from the view source on the contact us page if the CSRF input does show.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

I have disabled affiliate registrations so no longer receiving affiliate spam.

For customer registrations, I have stopped receiving fake registrations on one website (opencart 2.0.1.1). However, I am still receiving a ton of fake registrations on another site (opencart 2.0.3.1). Any idea why the mod is working on one site, but not the other?

I have disabled affiliate registrations so no longer receiving affiliate spam.

For customer registrations, I have stopped receiving fake registrations on one website (opencart 2.0.1.1). However, I am still receiving a ton of fake registrations on another site (opencart 2.0.3.1). Any idea why the mod is working on one site, but not the other?

Disabling the affiliate system won't solved the issue, since customer registrations can still be spammed. This support forum is for the CSRF protection form troubleshooting / inquiries. Not for general support. Is the CSRF token showing on your view source after adding the extension?

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

The instructions above was simply about adding the information block to see if you were able to see the CSRF input on the view source. Your XML file shows all TWIG folders which hardens the troubleshooting. Instructions unfollowed. In the mean time, you seem to have spaces between [ ~ and ~i ] and also between [ $1 ] . All these instances must not contain any spaces.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

But you are still using all folders with TWIG files from the catalog end rather than only simply testing one page of it noticing, one at a time, if the CSRF input does appear. Instructions are still unfollowed as I only instructed to test the information/contact page. Not the other pages in the catalog-end.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.